I think I have identified the issue and am working on a Pull Request with a fix.

Basically, the SetupWizard calls the security realm for validation of the entered data, but that method already sends a response, so the SetupWizard can't send another response. (This causes the stack trace)

Also, the frontend part is doing some black magic with iframes that seems to be blocked by at least Chrome (XSS; This causes the response to not show in the browser) and doesn't re-enable the buttons after an error response. (This causes the buttons being greyed out)

Philipp Nowak
added a comment - 2017-10-29 21:44 - edited I think I have identified the issue and am working on a Pull Request with a fix.
Basically, the SetupWizard calls the security realm for validation of the entered data, but that method already sends a response, so the SetupWizard can't send another response. (This causes the stack trace)
Also, the frontend part is doing some black magic with iframes that seems to be blocked by at least Chrome (XSS; This causes the response to not show in the browser) and doesn't re-enable the buttons after an error response. (This causes the buttons being greyed out)

This commit adds an additional account creation method to the
security realm, that allows to create a new user account (as the system)
and is intended to be used by the setup wizard.

The main difference to the existing method is that the new method does
not force the Stapler to send a response, but instead throws an
exception if invalid data is submitted. This allows to call this from
the setup wizard, and send the response there. (This is necessary
because the setup wizard method has a response return type and
there is no way to access the response already send in the realm)

Further, it splits the private createAccount() method for
clarity as well as to allow code reuse from the new method.

SCM/JIRA link daemon
added a comment - 2018-03-07 23:07 Code changed in jenkins
User: Literallie
Path:
core/src/main/java/hudson/security/AccountCreationFailedException.java
core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
core/src/main/java/jenkins/install/SetupWizard.java
war/src/main/js/pluginSetupWizardGui.js
war/src/main/js/templates/firstUserPanel.hbs
http://jenkins-ci.org/commit/jenkins/12031d7d59409186c8c36ac791736e475a883dc2
Log:
JENKINS-45387 Fix validation error displaying in setup wizard's "create first admin" form (#3116)
JENKINS-45387 Improve setup wizard account creation in security realm
This commit adds an additional account creation method to the
security realm, that allows to create a new user account (as the system)
and is intended to be used by the setup wizard.
The main difference to the existing method is that the new method does
not force the Stapler to send a response, but instead throws an
exception if invalid data is submitted. This allows to call this from
the setup wizard, and send the response there. (This is necessary
because the setup wizard method has a response return type and
there is no way to access the response already send in the realm)
Further, it splits the private createAccount() method for
clarity as well as to allow code reuse from the new method.
JENKINS-45387 Fix SetupWizard sending responses twice on create admin
This commit fixes an issue where the SetupWizard class would send
two responses (indirectly) when invalid form data was provided for
creating the first admin account.
[Fix JENKINS-45387] Setup wizard not displaying first account errors
This commit fixes the setup wizard not displaying HTML error
responses upon first account creation.
Previously, it just froze (buttons were not re-enabled) and didn't
display responses. (Probably caused by XSS policies on the iframe)
JENKINS-45387 Add some @Restricted annotations
As per
https://github.com/jenkinsci/jenkins/pull/3116#discussion_r172031063
https://github.com/jenkinsci/jenkins/pull/3116#discussion_r172051979